This Page Is Inserted by IFW Operations 
and is not a part of the Official Record 

BEST AVAILABLE IMAGES 

Defective images within this document are accurate representations of 
the original documents submitted by the applicant. 

Defects in the images may include (but are not limited to): 

• BLACK BORDERS 

• TEXT CUT OFF AT TOP, BOTTOM OR SIDES 

• FADED TEXT 

• ILLEGIBLE TEXT 

• SKEWED/SLANTED IMAGES 

• COLORED PHOTOS 

• BLACK OR VERY BLACK AND WHITE DARK PHOTOS 

• GRAY SCALE DOCUMENTS 



IMAGES ARE BEST AVAILABLE COPY. 



As rescanning documents will not correct images, 
please do not report the images to the 
Image Problem Mailbox. 



THIS 




Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 




(vj) Publication number: 0 677 801 A1 



EUROPEAN PATENT APPLICATION 



@ Application number: 95302117.7 
(22) Date of filing : 29.03.95 



<§) mt. ci. 6 : G06F 1/00, G07C 9/00 



(So) Priority : 04.04.94 US 223252 

(43) Date of publication of application 
18.10.95 Bulletin 95/42 



@ Designated Contracting States : 
DE ES FR GB IT 



(n) Applicant : AT & T Corp. 
32 Avenue of the Americas 
New York, NY 10013-2412 (US) 



(72) Inventor : Blonder, Greg E. 
112 Mountain Avenue 
Summit, New Jersey 07901 (US) 

(74) Representative : Watts, Christopher Malcolm 
Kelway, Dr. et al 
AT&T (UK) Ltd. 
5, Mornington Road 
Woodford Green Essex, IG8 0TU (GB) 



(54) Graphical password. 



(57) A graphical password arrangement displays a 
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Technical Field 

This invention relates generally to processing 
systems and specifically relates to resource-access 
control arrangements such as password arrange- 
ments. 

Background of the Invention 

The use of passwords to control access to re- 
sources such as computers, databases, telecommu- 
nications facilities, etc., is well known and under- 
stood. Before being given access to a requested re- 
source, a user is required to enter a valid password as 
a way of ensuring that the user is authorized to access 
the resource. Normally, the password is a word or 
some other sequence of alphanumeric characters. 
The normal method of entry is to speak the word into 
a microphone or to key the sequence of characters in 
on a terminal or a telephone keyboard. 

Conventional alphanumeric passwords suffer 
from disadvantages, however. Firstly, they are diffi- 
cult for the users to remember, particularly if they are 
arbitrary alphanumeric sequences rather than normal 
words. Secondly, they are relatively easy to compro- 
mise, particularly by the use of a computer that is pro- 
grammed to automatically try all dictionary words or 
all permutations of some number of alphanumeric 
characters as passwords in an attempt to gain unau- 
thorized access to a resource. 

To overcome these difficulties, recently new se- 
curity arrangements have been developed that rely 
on sensing of a user's individual and not readily du- 
plicated characteristics as a means of validating the 
users identity. These include voice analyzers, retina 
scanners, fingerprint image analyzers, and face im- 
age analyzers. While quite effective in overcoming 
the disadvantages associated with conventional al- 
phanumeric passwords, these arrangements have 
disadvantages of their own. Chief amongst them is 
their complexity and associated cost, which make 
their use impractical for most of applications. 

Summary of the Invention 

This invention is directed to overcoming these 
and other problems and disadvantages of the prior 
art. Generally according to the invention, there is pro- 
vided a graphical password arrangement, wherein a 
user seeking access to a resource is presented with 
a predetermined image on a visual display and is re- 
quired to point to (e.g. touch) one or more predeter- 
mined positions on the displayed image (referred to 
herein as "tap regions'*) in a predetermined order as 
a way of indicating his or her authorization to access 
the resource. 

Specifically according to the invention as 
claimed, there is provided a graphical password ar- 



rangement and/or method. The arrangement com- 
prises means for displaying a predetermined image, 
means for storing a predetermined number of prede- 
termined positions in the predetermined image as a 

5 password, means responsive to a user for determin- 
ing a user's selections of locations in the displayed 
image, means for determining whether the deter- 
mined locations selected by the user correspond to 
the predetermined positions of the password, and 

10 means responsive to a determination of a lack of cor- 
respondence between the determined locations and 
the predetermined positions for denying the user ac- 
cess to a resource that is protected by the password. 
The method correspondingly comprises the steps of 

15 displaying a predetermined image, selecting loca- 
tions in the displayed image under user control, de- 
termining whether the selected locations correspond 
to a predetermined number of predetermined posi- 
tions in the predetermined image that are stored as a 

20 password, and denying the user access to the re- 
source in response to a determination that correspon- 
dence is lacking between the selected locations and 
the predetermined positions. 

The invention possesses numerous advantages 

25 over the prior art. Firstly, people generally find im- 
ages to be easier to recall than alphanumeric se- 
quences, particularly images with personal meaning. 
Secondly, even a very coarse matrix of tap regions 
yields great security. For example, in an arrangement 

30 that uses a 3 inch-by-5 inch (7.5 cm -by- 1 2.5 cm) dis- 
play with one-quarter inch square (6 mm -by- 6 mm) 
tap regions and that requires the user to touch three 
tap regions in the correct order, there are 1 3.6 million 
possible combinations. In comparison, a four-digit 

35 password like a personal identification number (PIN) 
is one of only 10,000 possible combinations, and a 
three-letter password is one of only 17,000 possible 
combinations. Thirdly, in equipment that already in- 
cludes a touch-sensitive or a graphics display, the 

40 graphical password arrangement is substantially no 
more difficult or expensive to implement than a con- 
ventional password arrangement. But even if the cost 
and complexity of a touch-sensitive or graphics dis- 
play and associated software is factored in, the 

45 graphical password may be simpler and less costly to 
implement than the new security arrangements that 
were mentioned above. 

These and other advantages and features of the 
invention will become more apparent from the follow- 
so ing description of an illustrative embodiment of the in- 
vention taken together with the drawing. 

Brief Description of the Drawing 

55 FIG. 1 is a block diagram of an exemplary proc- 

essing system that includes an illustrative em- 
bodiment of the invention; 

FIG. 2 is a flow diagram of a password function 
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of a PASSWD arrangement of the system of FIG. 
1; 

FIG. 3 is a flow diagram of a password change 
function of the PASSWD arrangement of the sys- 
tem of FIG. 1; 

FIG. 4 is an illustrative view of a display of the 
system of FIG. 1 during execution of the function 
of FIG. 3; and 

FIG. 5 is an illustrative view of the display of the 
system of FIG. 1 during execution of the function 
of FIG. 2. 

Detailed Description 

FIG. 1 shows a general diagram of a processing 
system 10. Processing system may be any one of a 
wide variety of systems, such as a personal computer, 
a telecommunications terminal, a personal digital as- 
sistant, an entrance security system, a vehicle igni- 
tion control system, etc. Processing system 10 is a 
program-controlled system. It includes a memory 12 
that stores control programs and associated data, 
and a processor 11 that executes the programs. As is 
often conventional with such systems, processing 
system 10 also includes a visual display screen 15 
and one or more entry devices 14 (such as a key- 
board, a mouse, and/or a light pen or a touch pen) that 
are coupled to processor 11 by an input and output 
(I/O) interface 13. Display 15 may be a touch- 
sensitive display screen, and hence itself may func- 
tion as one of the entry devices 14. As described so 
far, processing system 10 and its component ele- 
ments 11-15 are conventional. 

Processing system 10 includes a graphical pass- 
word arrangement PASSWD 16, which in this illustra- 
tive example is implemented via a program and data 
stored in memory 12, and which controls user access 
to the application capabilities provided by processing 
system 10. The functionality of PASSWD 16 is repre- 
sented in flowchart form in FIGS. 2 and 3. 

Processing system 10 is initially provided to the 
user with the password function disabled. Upon pow- 
er-up of system 10, execution of PASSWD 16 is in- 
voked, at step 200 of FIG. 2, and PASSWD 16 checks 
whether the password function is enabled, at step 
202. If the password function is not enabled, 
PASSWD 16 grants the user unconditional access to 
processing system 10 and ceases execution, at step 
204. 

While using processing system 10, the user may 
request enablement of the password function or a 
new password by entering the proper command 
through an entry device 14. In response, execution of 
PASSWD 16 is invoked, at step 300 of FIG. 3, and 
PASSWD 16 prompts the user to provide a password 
image, at step 302. The user may provide an image 
in any one or more ways, such as by composing an 
image on display 1 5 via one or more entry devices 14, 



scanning in an existing image via an entry device 14, 
or selecting one from among a plurality of images that 
have been loaded and stored in memory 12. 
PASSWD 16 receives the password image provided 
5 by the user and stores it in memory 12, at step 304. 
It then displays the password image on display 15, at 
step 306. 

Alternatively, the password image may be prede- 
fined, and PASSWD 16 skips steps 302 and 304 and 

10 proceeds from step 300 directly to step 306. 

Following step 306, PASSWD 16 prompts the 
user to select the size and the number of tap regions 
that will make up the graphical password, at step 308. 
Tap regions are positions in the displayed password 

15 image. Illustratively, each tap region is a rectangle no 
larger than 1 0% of the password image size, and the 
graphical password consists of at least two tap re- 
gions. In response to receiving the user's selection, at 
step 310, PASSWD 16 displays the selected number 

20 of sequentially-numbered tap regions of the selected 
size along with the password image, at step 312. The 
tap regions may be displayed in a row along an edge 
of display 15, or arbitrarily positioned over the pass- 
word image. 

25 Alternatively, the number and size of tap regions 

may be predefined, and PASSWD 1 6 skips steps 308 
and 310 and proceeds directly from step 306 to step 
312. 

An illustrative example of the state of display 15 
30 following step 312 is shown in FIG. 4, where numeral 

400 designates the password image and numeral 401 
designates the tap regions. 

Following step 312, PASSWD 16 prompts the 
user to select a tap region 401 and to position it within 

35 password image 400, at step 314. The user performs 
these functions via one or more entry devices 14, 
such as by manipulating a cursor via a keyboard, 
pointing and dragging the cursor with a mouse, or tap- 
ping and sliding on display 15 with a light pen or a 

40 touch pen. If display 15 is a touch-sensitive screen, 
the user may perform the functions by tapping and 
sliding on display 15 with a finger. PASSWD 16 waits 
until the user makes a location selection on display 1 5 
via an entry device 14, at step 316, and determines 

45 the coordinates of the selected location, at step 31 8. 
It then determines whether the entry device 14 is lo- 
cated on a tap region 401 , that is, whether a tap region 

401 has been properly selected, at step 320. If not, 
PASSWD 16 returns to step 314 to repeat the instruc- 

50 tions to the user. 

If it is determined at step 320 that a tap region 401 
has been properly selected, PASSWD 16 tracks the 
movement of entry device 14 across display 15 and 
moves the selected tap region 401 along with the en- 

55 try device 14, at step 322, while checking for release 
of the selected tap region 401 by entry device 14, at 
step 324. Hence, entry device 14 serves to move the 
tap region 401 relative to the displayed predeter- 
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mined image 400. When it determines that entry de- 
vice 14 has released the selected tap region 401, 
PASSWD 16 stores the sequence number of the se- 
lected tap region 401 and the position coordinates of 
the location within password image 400 where it had 
been released, at step 326. PASSWD 16 then checks 
whether the user has indicated completion of pass- 
word selection, at step 330. Illustratively, in the exam- 
ple of FIG. 3, the user may indicate completion of 
password selection by selecting a displayed 
"done" indicator 402 via entry device 14. If the user 
has not indicated completion, PASSWD 16 returns to 
step 316 to await re-selection of a tap region 401. If 
the user has indicated completion, PASSWD 16 
marks the stored tap region sequence numbers and 
position coordinates in memory 12 as the new pass- 
word, at step 332, enables the password function, at 
step 334, and then ends its execution, at step 336. 

Alternatively, step 334 may be performed not by 
PASSWD 16 but manually by a user, via interaction 
with a separate control function of processing system 
10. 

Returning to FIG. 2, the next time that processing 
system 10 is powered up, execution of PASSWD 16 
is again invoked at step 200, and this time PASSWD 
16 determines at step 202 that the password function 
is enabled. In response, PASSWD 16 retrieves and 
displays on display 15 the stored password image 
400 without also displaying tap regions 401, at step 
206. An illustrative example of the state of display 1 5 
following step 206 and corresponding to FIG. 4 is 
shown in FIG. 5. PASSWD 16 also retrieves the total 
number of tap regions 401 that make up the pass- 
word, at step 208. PASSWD 16 then waits until the 
user makes a location selection on display 1 5 with en- 
try device 14, at step 210, and it obtains and stores 
the coordinates of the selected location, at step 212. 
Hence, entry device 14 serves to identify, under the 
user's control, the location selected by the user. Fol- 
lowing a selection, PASSWD 16 checks whether the 
number of selected locations equals the number of 
tap regions 401 that make up the password, at step 
214. If not, PASSWD 16 returns to step 210 to await 
another sequential selection; if so, PASSWD 16 pro- 
ceeds to compare the coordinates of each sequential- 
ly-selected location against the coordinates of the 
positions of the corresponding sequentially-num- 
bered tap region 401 within the password image 400 
to determine if the selected location lies within the 
corresponding tap region 401, at steps 216-220. If it 
is determined at step 218 that the sequence of select- 
ed locations sequentially corresponds to the se- 
quence of tap regions, entry of the password has 
been successful, and PASSWD 16 grants the user 
access to processing system 10 and ends its execu- 
tion, at step 226. 

If each selected location does not lie within the 
corresponding tap region 401 in password image 400, 



entry of the password has failed, and PASSWD 16 
checks whether a maximum allowed number of tries 
at entering the password has been exhausted, at step 
222. Illustratively, three tries are allowed. If the max- 

5 imum number of tries has not been exhausted, 
PASSWD 16 indicates failure to the user and prompts 
the user to try again, at step 224. PASSWD 16 then 
returns to step 210 to await the user's set of selec- 
tions. But if it is determined at step 222 that the max- 

w imum number of tries has been exhausted, PASSWD 
16 denies the user access to processing system 10, 
illustratively by turning power off in processing sys- 
tem 10, and ends its execution, at step 228. 

Of course, various changes and modifications to 

15 the illustrative embodiment described above will be 
apparent to those skilled in the art For example, a 
password may comprise a plurality of different im- 
ages, with each image containing one (or more) of the 
tap regions that make up the password. Thus, a dif- 

20 ferent image would be displayed after each tap (i.e., 
3 images, one tap/image). Or, the password may ad- 
ditionally require that particular tap regions be tapped 
at particular times. For example, the graphical image 
could be a moving image, such as a short cartoon, re- 

25 quiring the user to click and tap at right locations at the 
right time. Also, the password image could be a blank 
screen (i.e., no image), requiring the user to just re- 
member the location of the tap regions by "dead reck- 
oning" (presumably using extra-large tap regions). 

30 Such changes and modifications can be made with- 
out departing from the the scope of the invention and 
without diminishing its attendant advantages. 

35 Claims 

1. A password arrangement including means (15) 
for displaying a predetermined image (400), 
CHARACTERISED BY 

40 means (12:16) for storing a predetermined 

number of predetermined positions (401) in the 
predetermined image as a password; 

first means (13, 14, 11:200-212), respon- 
sive to a user, for determining a user's selections 

45 of locations in the displayed predetermined im- 

age; 

second means (16, 11:214-220) for deter- 
mining whether the determined locations select- 
ed by the user correspond to the predetermined 
so positions of the password; and 

means (11 :21 8-228) responsive to a deter- 
mination of a lack of correspondence between 
the determined locations and the predetermined 
positions, for denying the user access to a re- 
55 source protected by the password. 

2. The arrangement of claim 1 wherein 

the denying means include 
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means (1 1 :21 8-226) responsive to a deter- 
mination of correspondence between the deter- 
mined locations and the predetermined positions, 
for granting the user access to the resource. 

5 

3. The arrangement of claim 1 wherein 

the means for displaying include a visual 
display screen (15) for displaying the predeter- 
mined image; and 

the first determining include a device (14) 10 
for identifying, under user control, locations se- 
lected by the user in the displayed image. 

4. The arrangement of claim 1 wherein 

the predetermined positions (401) have a 15 
predetermined size and a predetermined shape; 
and 

the second determining means include 
means (11:218) for determining whether 
the determined locations selected by the user lie 20 
within the predetermined positions in the dis- 
played image. 

5. The arrangement of claim 1 wherein 

the storing means (12:16) further store a 25 
predetermined sequence of a predetermined 
plurality of the predetermined positions; 

the first determining means comprise 
means (11:210-214) for determining a sequence 
of the user's selections of the locations on the dis- 30 
played image; and 

the second determining means comprise 
means (11:216-220) for determining whether the 
sequence of the determined locations selected 
by the user sequentially corresponds to the se- 35 
quence of the predetermined positions of the 
password. 

6. The arrangement of claim 1 wherein 

the displaying means include 40 
means (15, 11:306-312), responsive to a 
request of the user, for displaying a number of 
position indicators along with the predetermined 
image; 

and the arrangement further comprises 45 
third means (14, 11:314-324) responsive 
to the user for determining a user's positioning of 
the displayed position indicators in the displayed 
predetermined image, and 

means (11:326-336), responsive to thede- so 
termined positioning, for storing positions of the 
position indicators in the displayed image as the 
predetermined positions in the storing means. 



7. The arrangement of claim 6 wherein 

the means for displaying include a visual 
display screen (15) for displaying the position in- 
dicators and the predetermined image; and 



55 



the third determining means include a de- 
vice (14) for moving the displayed position indica- 
tors on the visual display screen relative to the 
displayed predetermined image. 

8. The arrangement of claim 6 further comprising: 

means (12, 11:300-304) responsive to a 
request of the user, for storing an image designat- 
ed by the user as the predetermined image; and 
wherein 

the displaying means display the stored 

image. 

9. The graphical password arrangement of claim 1 
wherein: 

the means for storing comprise 
means (16) for storing a predetermined im- 
age (400) and a predetermined sequence of a 
predetermined plurality of predetermined tap re- 
gions (401) in the predetermined image as a 
password, the predetermined tap regions having 
a predetermined size and a predetermined 
shape; 

the means for displaying comprise 

display means (15) for displaying the stor- 
ed predetermined image; 

the first means comprise 

means (14) for selecting locations in the 
predetermined image displayed by display 
means, under user control, and 

means (11:200-212), cooperative with the 
selecting means, for determining a plurality of lo- 
cations selected under user control in a se- 
quence in the displayed predetermined image; 

the second means comprise 

means (11:214-220) for determining 
whether the selected locations lie within the pre- 
determined tap regions and whether the se- 
quence of the selected locations corresponds to 
the predetermined sequence of the predeter- 
mined tap regions; and 

the means for denying comprise 

means (11:218-228) responsive to a deter- 
mination either that the selected locations lie out- 
side of the predetermined tap regions or that the 
sequence of the selected locations differs from 
the sequence of the predetermined tap regions, 
for denying access to a resource protected by the 
password, and responsive to a determination that 
the selected locations lie within the predeter- 
mined tap regions and the sequence of the select- 
ed locations corresponds to the sequence of the 
predetermined tap regions, for granting access to 
the resource. 

10. The arrangement of claim 1 wherein 

the displaying means include 

means (11:306-312), responsive to a re- 
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quest of the user, for displaying the predeter- 
mined plurality of sequentially-designated tap re- 
gions having the predetermined size and the pre- 
determined shape, along with the predetermined 
image; 5 
the selecting means include 
means (14) for moving the displayed tap 
regions on the display means relative to the dis- 
played predetermined image, under user control; 
and 10 
the arrangement further comprises 
means (11:316-324) cooperative with the 
moving means for determining a positioning of 
the displayed sequentially-designated tap re- 
gions in the displayed predetermined image, and 15 

means (11 :324-336) responsive to the de- 
termined positioning, for storing positions of the 
sequentially-designated tap regions in the dis- 
played predetermined image as the predeter- 
mined sequence of the predetermined tap re- 20 
gions in the storing means. 

11. A method of controlling access to a resource pro- 
tected by a password, CHARACTERISED BY the 
steps of; 25 

displaying (206) a predetermined image; 

selecting locations (210-214) in the dis- 
played image, under user control; 

determining (216-219) whether the select- 
ed locations correspond to a predetermined num- 30 
ber of predetermined positions (401) in the prede- 
termined image that are stored as a password; 
and 

in response to a determination (218) that 
correspondence is lacking between the selected 35 
locations and the predetermined positions, deny- 
ing (222, 228) the user access to the resource. 
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